hello, we use so called "tunnel sites" with our proxy configuration. that means, we have two types of users: 1) user with (full) internet access, 2) users which only allowed to access certain websites. for this we have setup an acl which lists domains that are free to access dstdomain .some.site dstdomain .free.site dstdomain .foo.com the problem comes up, when these sites include stuff from other sites. most of the time ads, statitics. etc. so we have not only have to list the sites but also list "all" other sites. eg. dstdomain .some.site dstdomain .ad.server dstdomain analytics.google.com dstdomain .ivwbox.de this is quite annoying. both for us but also for our users. we use ntlm auth. when they access those "tunnel" sites it happens that the (basic ntlm) auth dialog coming up, as the user was authenticated but not allowed to access internet, so squid asks for a user/password which has internet access. is there any chance to change this? when an ad banner is included from another site, squid can't really know that this is a "good" ad because it comes from a free tunnel website. there is a authenticate_ttl which "caches" successfull authentications. is there a way to have also not successfull authentications to be cached/rememebered for a certain time? eg. ask for authentication, user hits cancel and squid won't ask for another authentication for the next hour or so... is there any other way to solve this problem? -- mit freundlichen Grüßen Markus Rietzler - <rietzler_software/> Rechenzentrum der Finanzverwaltung NRW
